Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.

Hong Kong domains are the most dangerous in the world; this little factoid from a recent McAfee report [PDF] generated quite a bit of media coverage, and even made TIME magazine's top stories list (here is McAfee's press release on the subject). But all is not as it seems, and aspects of the report may have been out of date before the report was even published.

McAfee's study seems to be based on a year's worth of data, and last year was a particularly bad year for the Hong Kong domain, thanks to a gang of botnet spammers registering thousands of domains under the .hk ccTLD.

These domains were most likely registered using stolen credit cards, and contained bogus information in the whois records. The contact email address for each domain was usually an email address at a random free webmail site like Yahoo, Hotmail, or some free webmail domains hosted on Outblaze, where I head the anti-spam operations.

The .hk domains started turning up in spam for porn, fake prescription medication, phishing (identity theft) and many other illegal schemes such as "money mule recruitment", where people are conned into running an "export agency" and unwittingly become conduits for money laundering and receivers of goods bought with stolen credit cards.

This certainly turned out to be a gigantic reputation problem for the .hk ccTLD — far more scam domains were being registered under .hk than legitimate domains. Even worse, these scam domains were being hosted on botnets.

A botnet is a very large, highly failure-tolerant and distributed network. It is also international in nature, so that a child pornography website hosted on an infected PC in Hong Kong could turn up the very next minute on an infected laptop in Brazil. With distributed peer-to-peer botnets the domain name used by a botnet is sometimes its single point of failure.

HKDNR, the registry for the .hk ccTLD, was initially slow to react to this problem, prompting antivirus and anti-phishing researchers like Gary Warner (now Director of Research in Computer Forensics & Cybercrime at the University of Alabama at Birmingham) to declare a "crisis situation" in a March 2007 email to a mailing list that discusses phishing. In the email he accused HKDNR of inaction and insufficient response to the concerns of the anti-spam community.

HKDNR and the Hong Kong CERT (HKCERT) were accused of responding to complaints with canned letters that promised to investigate, but appeared to take no action at all. The response letters (samples of which he quoted in his email) encouraged complainants from outside Hong Kong to "report the matter to their local law enforcement agencies". Which is, of course, appropriate, but is not a substitute for quick deactivation of these scam domains.

By late 2007, the number of .hk domains registered by scam artists numbered in the tens of thousands. Action by various groups (independent technologists, anti-spam block list providers, CERT teams, law enforcement and regulatory agencies) then seemed to convince HKDNR of the need to take immediate drastic action against scam domains registered in the .hk ccTLD.

As the Postmaster and Head of Anti-spam Operations for Outblaze, I contributed to the effort by providing a feed of several thousand .hk domains from spam reported on our network of 40 million hosted email users.

The results were astounding. Over 10,000 scam domains were terminated in a matter of days. Long term measures were also put in place, such as:

Credit card fraud prevention, including Verified by Visa (most of these scam domains were registered using stolen credit cards)

Due diligence measures to detect fake domain registration

Closer cooperation of HKDNR with relevant authorities and agencies.

International cooperation is vital for two reasons:

as an early warning when scam artists attempt to set up shop again

as a way to share best practices with groups, associations, government regulators, and law enforcement agencies working on the prevention of spam and cybercrime.

In a matter of days, the huge concentration of scammer domains in the .hk ccTLD scattered, shifting to other countries and ccTLDs. Some moved to China (as the McAfee report indicates, a large number of scammer domains still exist in .cn space) and others went onto .biz, .info, and even ccTLDs like .ma (Morocco).

The botnet problem is clearly international, and registrars and registries around the world are vulnerable to what HKDNR suffered last year. While it might be stale news in that HKDNR has already dealt with this problem, it serves as a reminder that botnet criminals are still out there and still causing trouble. Spam and cybercrime are hitting record levels and that there is a need for constant awareness and joint efforts to mitigate the menace that botnets have evolved into over the last few years.

It discusses the threat that botnets pose to the worldwide community of Internet users, and describes an interlinked set of policy, technology, and civil society approaches to the problem of botnets. Most of what I have written in this blog entry is already present in the ITU paper, so I will stop here and encourage people reading this to glance at the paper as well. It is 100 pages long so probably not bedtime reading, but I'd still appreciate your comments.

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

I'm very pleased to see that you posted this summary, since I was thinking of doing so in a similar fashion (but I'm glad you beat me to it).

As you mentioned, the McAfee report used data from a period that was long enough to include the horrible issues that HKIRC/HKDNR suffered prior to "cleaning up their act", and to tell you the truth, I give them a lot of credit for finally cleaning up their act. No if we could get other registries/registrars to do the same…

Last week during the 2nd Annual APWG Counter eCrime Operations Summit (CeCOS II), Bonnie Chun from HKIRC/HKDNR gave a presentation which provided an overview of how they have worked with the security community, HK-CERT, and law enforcement in Hong Kong (and abroad) to clean up criminal domain abuse in the .HK ccTLD.

So, while .HK may have once been a "bad neighborhood" with regards to malicious domains, etc., I certainly would not consider it to be any more dangerous than, say, .US or .EU in the grand scheme of things — especially not any more.

Related

As I noted last month, this Friday, December 15, 2017, at 15:00 UTC is the deadline to nominate someone for the Internet Society's Board of Trustees. Anyone who supports the mission of the Internet Society is welcome to submit a nomination (for yourself or for someone you think should be considered). The Internet Society serves a pivotal role in the world as a leader on Internet policy, technical, economic, and social matters, and as the organizational home of the Internet Engineering Task Force (IETF). more

On 11 December 2017, about 25 participants from Europe and the US attended the public consultation for the brand new GDPR Domain Industry Playbook by eco (Association of the Internet Industry, based in Germany) at the representation of the German federal state Lower Saxony to the European Union in Brussels. The General Data Protection Regulation (GDPR) poses a challenge for the Registries, Registrars, Resellers and ICANN. more

A look into the past reveals that continuous developments in weaponry technology have been the reason for arms control conventions and bans. The banning of the crossbow by Pope Urban II in 1096, because it threatened to change warfare in favour of poorer peasants, the banning of poisoned bullets in 1675 by the Strasbourg Agreement, and the Geneva protocol banning the use of biological and chemical weapons in 1925 after world war 1, all prove that significant technological developments have caused the world to agree not to use certain weapons. more

A colleague was recently commenting on an article by Michele Neylon "European Data Protection Authorities Send Clear Message to ICANN" citing the EU Data Commissioners of the Article 29 Working Party, the grouping a determinate factor In the impending death of WHOIS. He is on point when he said: What the European Data Protection authorities have not yet put together is that the protection of people's mental integrity on the Internet is not solely due to the action of law enforcement... more

Recently, a colleague in the Bellisario College of Communications asked me who gets a freedom boost from the FCC's upcoming dismantling of network neutrality safeguards. He noted that Chairman Pai made sure that the title of the FCC's Notice of Proposed Rulemaking is: Restoring Internet Freedom. My colleague wanted to know whose freedom the FCC previously subverted and how removing consumer safeguards promotes freedom. more

Steeped deep in discussions around the European Union's General Data Protection Regulation (GDPR) for the past several months, it has occurred to me that I've been answering the same question for over a decade: "What happens if WHOIS data is not accessible?" One of the answers has been and remains the same: People will likely sue and serve a lot of subpoenas. This may seem extreme, and some will write this off as mere hyperbole, but the truth is that the need for WHOIS data to address domain name matters will not disappear. more

Given that it's been a few years since my last domain name year in review, I've really enjoyed looking back at this year's biggest domain name stories and seeing how this industry has evolved. This year, in particular, has seen some notable changes which are likely to impact the domain name landscape for years to come. So without further ado, here is my list for 2017. more

As we enter the seventh round of the net neutrality fight, advocates continue to make the same argument they've offered since 2002: infrastructure companies will do massive harm to little guys unless restrained by strict regulation. This idea once made intuitive sense, but it has been bypassed by reality. ... When Tim Wu wrote his first net neutrality paper, the largest telecoms were Verizon, AT&T, and SBC; they stood at numbers 11, 15, and 27 respectively in the Fortune 500 list. more

The largest and most important global information infrastructure today by any measure is clearly the global mobile network and all of its gateways, services, and connected devices. That network is standardized, managed, and energized by a combination of the 3GPP and GSMA. The level of 3GPP industry involvement and collaboration today probably exceeds all other telecom, internet, and assorted other bodies put together... and then some. more

One of the problems with trying to secure systems is the lack of knowledge in the community about what has or hasn't worked. I'm on record as calling for an analog to the National Transportation Safety Board: a government agency that investigates major outages and publishes the results. In the current, deregulatory political climate, though, that isn't going to happen. But how about a voluntary system? more

The jurisprudence applied in adjudicating disputes between mark owners and domain name holders under the Uniform Domain Dispute Resolution Policy (UDRP) is essentially a system that has developed from the ground up; it is Panel-made law based on construing a simple set of propositions unchanged since the Internet Corporation for Assigned Names and Numbers (ICANN) implemented them in 1999. Its strength lies in its being a consensus-based rather than dictated jurisprudence. more

There was one message which overshadowed all discussions at the 5th Global Conference on Cyber Space (GCCS) in New Delhi in November 2017: Instability in cyberspace is as dangerous as climate change. With four billion Internet users and five trillion dollars annually in digital transactions, instability in cyberspace has the potential to ruin the world. more

We've all heard too much about NN, which I've been reporting for 20 years. I support it because I don't want Randall Stephenson of AT&T deciding what I should watch on TV. The long-run effect is negative. The claims from some people who agree with me are ridiculous. "According to former FCC commissioner Michael Copps, ending net neutrality will end the Internet as we know it." Michael knows I respect him, but... more

History, it has been said, repeats itself. The same can be said of domain name disputes, as demonstrated by a pair of cases involving the same trademark ("Panavision") filed more than 20 years apart with remarkably similar facts. I can't hear the name "Panavision" without thinking about the origins of domain name disputes, so a decision involving panavision.org - coming more than two decades after litigation commenced over panavision.com - immediately made me nostalgic. more

The October Senate Commerce, Science, and Transportation Committee hearing on the commercial satellite industry provides a current example of effective government support of new communication technology. The hearing focused on broadband access, primarily from low-Earth orbit (LEO) satellites. Witnesses from four companies - Intelsat, OneWeb, ViaSat and SpaceX - testified and the tone of the hearing was set by the opening statements of Committee Chairman John Thune and Ranking Member Bill Nelson. more

Promoted Post

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.

Avenue4 LLCRead2607

A World-Renowned Source for Internet Developments. Serving Since 2002.